1 |
On Wed, Jan 17, 2018 at 10:41:21AM -0500, Michael Orlitzky wrote: |
2 |
> If I want to create /run/foo and /run/foo/bar, both owned by the "foo" |
3 |
> user, how would I do it using newpath? |
4 |
> |
5 |
> 1. I could create /run/foo with owner "foo", and then create |
6 |
> /run/foo/bar with owner "foo". That can be done without modifying |
7 |
> existing permissions, but it's not safe, because you wind up working |
8 |
> as root in the directory /run/foo which is owned by the non-root |
9 |
> "foo" user. If newpath disallows that unsafe operation, this approach |
10 |
> is out. |
11 |
> |
12 |
> 2. I could create /run/foo as root:root, and then create /run/foo/bar as |
13 |
> "foo". That much is safe, but then what do I do about /run/foo? It |
14 |
> already exists, so if newpath will refuse to modify existing paths, |
15 |
> then this approach is out too. |
16 |
> |
17 |
> That leaves... |
18 |
> |
19 |
> 3. I can create /run/foo with owner "foo", and then setuid to the foo |
20 |
> user. Now, *as the foo user* I can create /run/foo/bar, which will be |
21 |
> owned by "foo". There's no risk in doing so, because the "foo" user |
22 |
> can only trick himself. Moreover, the directory is writable only by |
23 |
> root and the OpenRC user (currently: foo) at that point, so the extra |
24 |
> safety precautions don't get in the way. |
25 |
|
26 |
Everything I'm saying here assumes that /run/foo and /run/foo/bar do not |
27 |
exist. If they do, both approaches 1 and 3 will do nothing other than |
28 |
warn if the permissions or ownership has changed. |
29 |
|
30 |
In both approaches 1 and 3, the first step will be to create the |
31 |
directory /run/foo then optionally adjust permissions on it. At that |
32 |
point newpath will exit. |
33 |
|
34 |
When the second invocation of newpath starts, we know /run/foo/bar |
35 |
does not exist, and creating /run/foo/bar will fail if /run/foo doesn't |
36 |
exist. |
37 |
|
38 |
Since that's true, I don't see what the difference is |
39 |
between approaches 1 and 3 or what makes approach 1 so unsafe. Call me |
40 |
dense if you must, lol, I'm just not getting it. At this point we know |
41 |
that /run/foo is owned by foo, and I've never heard that root working in |
42 |
a directory it doesn't own isn't safe. |
43 |
|
44 |
William |